Zero Trust Architecture—Myth or Reality?

Trust is an emotion that cannot be applied to machines; however, it is, regularly. In today’s hostile cyberspace, the “trust, but verify” approach typically results in crisis management. The IT landscape has been changing ever since the first computer was invented. More and more organizations are adopting big data, cloud computing, the Internet of things (IoT) and mobile Internet to support their business operations. While leveraging the latest technologies, organizations struggle to manage security for their systems. Most organizations tend to follow industry best practices for managing security such as using a device management system and logical access controls, using secured remote working, and logging and monitoring use, which means authenticated users will be trusted when using a managed device. However, a rogue user may also go unnoticed under these circumstances. Similarly, users may log in from different mobile devices that may or may not be managed devices. Perimeter security is getting blurred due to highly complex network infrastructure.

PERIMETER SECURITY IS GETTING BLURRED DUE TO HIGHLY COMPLEX NETWORK INFRASTRUCTURE.

As human beings, we socialize and trust each other to a certain level. The information shared with others is related to the level of trust they carry in our eyes (i.e., the higher the sensitivity level of information, the greater the level of trust). The same concept was applied in IT architecture until the concept of zero trust was floated in 2010 by an analyst at Forrester. Zero trust is built on the premises that trust cannot be granted forever and needs to be evaluated on a continuous basis.

Zero trust is not a tool but a strategic architectural concept and should be aligned with business priorities. Therefore, it is of utmost importance to seek endorsement from the C-suite. As enterprise priorities evolve over time, the goals of zero trust are adjusted accordingly to align with the business pace and priorities.

Zero Trust Is More Critical Than Ever

The COVID-19 pandemic has caused organizations to move to remote working models within a very short span of time (a few days in some cases). This pandemic has changed nearly every organization’s cyberdefense strategies and models. Pre-pandemic remote working used to be allowed for specific staff with special work laptops. However, as a result of this explosive expansion of remote working, a large number of employees have ended up working from their personal laptops. It is highly probable that a personal laptop with free antimalware lying on a kitchen table connected over a weakly configured home router might be serving as a part-time office.¹

SECURITY PROFESSIONALS AGREE THAT ZERO TRUST IS THE NEXT GENERATION OF CYBERSECURITY; HOWEVER, A LARGE NUMBER OF C-LEVEL EXECUTIVES REMAIN UNAWARE OF THE CONCEPT AND BENEFITS OF ZERO TRUST.

Organizations that concentrate more on external threats tend to fall victim to insiders. As a result, insiders are able to exfiltrate information because they have access to information they, as employees, do not need, and that access is not flagged as an unusual user behavior. Firewalls, virtual local area networks (VLANs) and access control lists (ACLs) have been used for years by security professionals for securing networks. However, in the event of little or no segmentation in infrastructure, an attacker can access resources without facing any major challenges or further security layers in between. It is worth noting for organizations relying on simple user identifications (IDs) and password authentication mechanisms that credential theft is here to stay.

Too many gates have been left open to the external world these days, such as virtual private networks (VPNs), mobile device management and web gateways, each of which is prone to a unique set of attacks because of vulnerabilities. Administrators are always racing to catch up on deploying patches. Similarly, users are often overloaded with several passwords to remember, which often results in writing passwords on sticky notes or otherwise saving them in unsecure places. Organizations tend to run various security products, which, at times, do not work with each other. As a result, security managers struggle to find or create a single report that can show who has access to their resources.²

Understanding Zero Trust

The zero trust model can be explained through a simple analogy of a secret security detail protecting a president or prime minister of a country (referred to as the protect surface in zero trust).³ The secret security detail has a clear idea of:

• Who is the president
• Where is the president
• Who can meet with the president
• How an individual will meet the president
• When the meeting will occur
• What conditions should be true before the meeting with the president takes place

The president is secured by a larger security team (acting as the perimeter device) that secures the surrounding area and special agents (micro-perimeter controls) who remain with the president to protect her or him at all times.

The same concept is deployed for a zero trust model under which the protection model is initiated inside out (i.e., from the protect surface rather than from the perimeter). It is a more practical approach to start modeling cyberprotection from the crown jewels of an organization outward.

A micro-perimeter protecting the crown jewels manages traffic inside the network, whereas perimeter devices prevent any unauthorized access from an external network. Network traffic is encrypted and monitored for authorized and unauthorized access. Users must prove their identity and the device will be validated before access to the resource is granted. The access will be session based and the user will have only enough access privileges to fulfill her or his business needs. User activities during the session will be monitored to identify any unusual behavior. All these controls are orchestrated under a zero trust policy engine and an administrator module, which would be the secret security detail protecting the president mentioned in the example.

Therefore, it can be concluded that the zero trust model is based on the following main assumptions:

• No user is trusted based on her or his group, profile or physical location.
• The physical or logical location of a device does not make it trusted.
• The origin or storage location of data does not make them safe.
• Network traffic is not secure even if it is generated and communicated internally.
• Policies must be dynamic and calculated based on input from various data sources.

Zero trust architecture is like tailoring a suit. The designer measures the consumer, creates a pattern and starts the sewing process. Zero trust follows a similar process. The only way to architect an effective and secure network is by first understanding what needs to be protected and how supporting IT systems work.⁴

A Business Case for Zero Trust

Security professionals agree that zero trust is the next generation of cybersecurity; however, a large number of C-level executives remain unaware of the concept and benefits of zero trust. The best way to create awareness is to build a business case to demonstrate costs and benefits, gain consent and move ahead with a plan.⁵

According to Verizon’s 2020 Data Breach Investigations Report (DBIR) report, 70 percent of breaches are caused by external actors, and 30 percent of breaches are caused by internal actors. On the other hand, the report also indicates that 45 percent of breaches were due to hacking, 22 percent were due to social engineering attacks and 8 percent were due to misuse by authorized users.⁶ All these numbers point toward the fact that victims have been attacked based on their weaknesses, whether it is weak authentication and authorization, a misconfigured web server, privileged access monitoring, or lack of user behavior analysis.

Chief information security officers (CISOs) have the responsibility to provide visibility to the C-suite on the current state of information security risk and the best possible strategies to mitigate the risk within available resources. As mentioned previously, because zero trust is a strategic concept, it should align with business priorities to seek endorsement from C-level management. Zero trust provides the following business benefits:⁷

• Improved asset visibility, which decreases the risk of unauthorized access
• Greater control in the cloud environment through authorized workloads
• Lower breach potential through verified and approved communications
• Lower compliance risk
• Business agility and speed

When presenting the business case for zero trust to management, CISOs need to complement the business benefits with numbers.

Building Blocks of Zero Trust

The development of a zero trust model is a set of guiding principles that are infrastructure independent and involve network infrastructure, system design and operations. Zero trust should not be considered a silver bullet, but it should be implemented with a balance of information security policies, identity and access management (IAM), encryption, multifactor authentication (MFA), and continuous monitoring.⁸

BECAUSE ZERO TRUST IS A STRATEGIC CONCEPT, IT SHOULD ALIGN WITH BUSINESS PRIORITIES TO SEEK ENDORSEMENT FROM C-LEVEL MANAGEMENT.

Zero trust architecture depends on carefully articulated policies that ensure data protection across the technology landscape. Therefore, it is imperative to ensure that each component of IT infrastructure is protected based on the same concept relayed by zero trust:

• Resources are categorized based on their criticality to the business process. The protection level depends on the criticality of the resource.
• Encryption needs to be in place for all communications to provide confidentiality, integrity and source authentication (e.g., public key infrastructure [PKI]).
• Inheritance-based access is not secure. All access is session based and follows pre-defined rules.
• Users and their devices are validated before granting access to the resource. User and device behaviors are monitored to detect any anomalies.
• All devices should be hardened and shall remain secure through progressive patching and configuration management.
• Users and devices shall be subject to reauthentication and reauthorization in case an anomaly is detected. This is normally achieved through an IAM, MFA and a strong device management system (DMS).
• Sufficient logs are maintained for analytics, which further improve the security posture.

Dissecting Zero Trust

Continuous improvement in zero trust theory has transformed it from network micro-segmentation to a whole new generation of solutions. To establish the rules, zero trust architecture must comprise the following technology components (figure 2):⁹

• Controller for governing zero trust policy across the network
• Data protection and encryption
• Data access policies enforcement
• MFA, IAM and DMS
• Network segmentation including micro-segmentation
• Threat intel feeds and anticipation
• Diagnostics, analytics and anomaly detection
• Real-time log aggregation and security information and event management (SIEM) system

Implementing Zero Trust

Zero trust migration requires extensive knowledge of business processes and underlying technology. Business priorities and current security maturity levels determine the direction and deployment strategy for zero trust in an organization. Some organizations may already be on a zero trust journey and, thus, prefer a gradual transition to zero trust architecture. A target state needs to be identified and a road map needs to be developed that shows the journey to the desired level.

The heart of zero trust architecture is to identify workflows for business applications. Once these workflows are identified and documented, the organization needs to identify actors/subjects and technology that interact during this workflow. This activity involves both technology and business staff. It is imperative that zero trust technologies should be able to run in hybrid mode as deployment takes time and there will be systems running outside the zero trust architecture scope. A sudden change in technology is not a viable option. It is always advisable to migrate to zero trust in alignment with the business.

Since zero trust migration is a marathon and not a sprint, the migration plan should be flexible enough to absorb any changes in business priorities and operating models.

Stakeholders should be mindful that a change in technology can impact the culture and practices of an organization. An example of this is changing MFA technology, which directly impacts the user’s login process. A transition plan should be in place for smooth migration to the new technology (figure 3).

Regardless of the model or approach the organization selects, zero trust tenants (figure 1) will always be considered. The following approaches are not a must to follow, but provide a general direction for zero trust architecture development.¹⁰

• Identity-centric—This approach is suitable for organizations with an open network with frequent visitors and noncorporate devices connecting to it. A user will connect to the network but will be restricted to access a particular resource on the network from a personal mobile device. Access to enterprise resources is subject to using specific enterprise applications along with MFA. While using the identity-centric approach, the emphasis should be on IDAM and MFA, while other zero trust components are used to develop a final confidence level to determine access level.
• Microsegmentation—Micro-segmentation is the technique of creating secure zones within a data center and cloud deployments that allow the organization to separate and secure each workload. This makes network security more granular and effective. These secure zones are created based on business services, and rules are defined to secure information workflow.
  
  Critical assets are placed in a network segment, which is protected by gateway security components (i.e., a next-generation firewall) acting as a zero trust policy enforcement point installed on a data resource and the client. The gateway(s) interact with the client-side agent to dynamically grant/revoke access based on real-time threat intelligence. Another deployment model could be a gateway deployed at the edge of a group of assets or a data center.
  
  A user’s access may be reduced or revoked based on the rules defined in the zero trust engine when he or she uses a personal device while using an approved authentication mechanism. The policy engine will reconfigure the user’s access when he or she logs in from a validated corporate device.
• Intent-based networks—Intent-based networks (IBNs) use artificial intelligence (AI) and machine learning (ML) techniques to collect, translate, propagate and monitor the network policies. IBN technologies use special network controllers that are connected to all network segments. Business rules are defined through a graphical user interface (GUI) and are then translated and pushed across the network. Subsequently, analytics and ML are used to continuously monitor the network if desired business outcomes have been achieved.

Top Risk in Zero Trust

There is risk in using a zero trust method. Some examples include:

• Lack of support from the C-suite may exist because of a limited understanding and awareness regarding zero trust, therefore:
  • A solid business case presented to C-level management should be supported by clear cost and benefits analysis.
• Lack of clarity on scope of work between business and engineering teams may impact desired results for workflow mapping, therefore:
  • The project charter should identify the scope of work as well as the roles and responsibilities of each stakeholder. The project sponsor should be a business executive.
• Lack of support from the organization on critical business risk assessment may result in the engineering team using their judgment based on IT architecture, therefore:
  • Business management should own the activity of identifying critical business processes.
• A zero trust migration plan may not be in line with business operations and priorities, therefore:
  • Migration plans should be reviewed and approved by business management.
• A difference of opinion among the business and engineering teams on desired outcomes from zero trust migration may occur, therefore:
  • Project review meetings should be held regularly to identify any conflict within the teams.
• Zero trust migration projects may suffer with c-suite return on investment (ROI) criteria, therefore:
  • A business case should identify ROI in order to gain c-suite support.
• The policy engine and administration component are at the heart of zero trust architecture. Decisions for granting and revoking access rights are executed here. A misconfigured or compromised policy engine or administration module can result in granting access that would not be approved under normal circumstances, therefore:
  • A mitigation control can be added following configuration best practices, limiting access to the configuration console as well as logging and auditing any changes to configuration.
• Social engineering has been an issue and can result in user impersonation until an anomaly is noted by zero trust components, which revokes the unauthorized access, therefore:
  • User awareness training and behavior analytics are needed.
• Strong IAM controls reduce the attack surface; however, cybercriminals with a compromised identity from an authorized machine may still be able to access partial information, therefore:
  • Reauthentication, reauthorization, session expiration, real-time log aggregation, behavior analytics, threat intel and mitigation are helpful.
• A payload downloaded while a user opens a malicious email may result in an advanced and persistent attack scenario, therefore:
  • Application white listing, real-time log aggregation, behavior analytics, threat intel and mitigation can help.
• A denial-of-service (DoS) attack is never out of books. In such a scenario, the zero trust policy engine and administrator component may not be available to support business operations, therefore:
  • DoS attack protection is needed.
• Modern zero trust components are supported with AI for making real-time decisions. Cybercriminals can exploit the application programming interface (API) for AI, which can help the attacker gain access to the target system, therefore:
  • Securing API through secured authentication and authorization practices is important, using user quota and throttling.

STRONG IAM CONTROLS REDUCE THE ATTACK SURFACE; HOWEVER, CYBERCRIMINALS WITH A COMPROMISED IDENTITY FROM AN AUTHORIZED MACHINE MAY STILL BE ABLE TO ACCESS PARTIAL INFORMATION.

Zero Trust Maturity Model

It is quite challenging to identify a maturity model for zero trust because there is no one size that fits all. Every organization is unique, operating in different industries with varied compliance requirements. As discussed, business priorities define the zero trust architecture and migration priorities. Figure 4 shows the effort to develop a yard stick that generally satisfies the basic requirements. It provides indicative information that can be used for assessment.

Zero Trust Adoption Trend

A 2020 zero trust progress report surveyed more than 400 cybersecurity decision-makers, ranging from technical executives to IT security practitioners and representing a balanced cross-section of organizations of varying sizes across multiple industries. According to one survey report, confidence among security professionals is mixed. Fifty-three percent have confidence, whereas 43 percent are still doubtful in applying a zero trust model in their architecture. This mixed reaction can be understood by the fact that 40 percent of zero trust implementations resulted in an increase in budget, whereas 45 percent of budgets remained the same, and only 15 percent of organizations witnessed a decrease in their budget. Seventy-two percent of organizations plan to assess or implement zero trust capabilities in some capacity in 2020 to mitigate growing cyberrisk.¹¹

Conclusion

Zero trust migration needs careful planning with an organizational change management process for a smooth transition. A joint effort from the organization and technology team with other stakeholders is imperative to make this initiative successful. Tools play their role, but to make any technology deployment successful, people and processes need to play their parts (figure 5). The zero trust model is gaining momentum among security professionals and organizations that are faced with multiple threats in the current cybersecurity landscape. The essence of success is to engage in deliberate efforts toward adding value to the organization.

ZERO TRUST MIGRATION NEEDS CAREFUL PLANNING WITH AN ORGANIZATIONAL CHANGE MANAGEMENT PROCESS FOR A SMOOTH TRANSITION.

In these chaotic days, it is challenging to initiate an architectural change to the technology landscape. Organizations are focused on securing their cash flow for unforeseen post-COVID-19 challenges. However, taking into consideration the COVID-19 pandemic, which has torn apart security strategies and remote access models, it is imperative to secure entry and exit doors to enterprise infrastructure before it is too late. A gradual transition that is positioned comfortably between business priorities and risk appetite is always preferred.

Endnotes

¹ McBride, S.; “Why the Largest Cyberattack in History Will Happen Within Six Months,” Forbes, 14 May 2020, www.forbes.com/sites/stephenmcbride1/2020/05/14/why-the-largest-cyberattack-in-history-will-happen-within-six-months/#45e87ada577c
² Oldham, M.; “Can Zero Trust Fix What’s Wrong With IT Security?” Portsys, 3 June 2019, https://portsys.com/can-zero-trust-fix-whats-wrong-with-it-security/
³ Kindervag, J.; “How to Build a Zero Trust Network,” BrightTALK webinar, 17 January 2019, www.brighttalk.com/webcast/10903/344314/how-to-build-a-zero-trust-network
⁴ Kindervag, J.; “Never Trust, Always Verify: Demystifying Zero Trust to Secure Your Networks,” DarkReading, 24 June 2019, www.darkreading.com/perimeter/never-trust-always-verify-demystifying-zero-trust-to-secure- your-networks/a/d-id/1334995
⁵ Kemp, T.; “Building a Business Case for Zero Trust Security,” SC Magazine, 10 April 2018, www.scmagazine.com/home/opinion/executive-insight/building-a-business-case-for-zero-trust-security/
⁶ Verizon, 2020 Data Breach Investigations Report, USA, 2020, https://enterprise.verizon.com/resources/reports/dbir/
⁷ Teitler, K.; “The Six Business Benefits of Zero Trust,” Edgewise, 16 June 2018
⁸ National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-207 Zero Trust Architecture, USA, February 2020, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf
⁹ Ibid.
¹⁰ Ibid.
¹¹ PusleSecure, 2020 Zero Trust Access Report Infographic, USA, 2020, www.pulsesecure.net/resource/2020-zero-trust-access-report-infographic/

Muhammad Asif Qureshi, CISA, CIA, CISSP, CCISO, PMP

Is an experienced information security and risk assurance professional with a wealth of information systems security and auditing background. He is a governance, risk compliance manager at Tawazun Economic Council. Qureshi actively participates in mentoring and coaching activities for young learners in schools and colleges. He has been a guest speaker on cybersecurity-related topics for young students. He has expertise in security transformation skills gained over the last 20 years. His achievements include establishing an information security department in his organization from the ground up. He worked with a dedicated team to build the information security architecture for his organization and has been an integral part of this team since then.